#!/bin/sh /etc/rc.common
#
# Copyright (C) 2015 OpenWrt-dist
# Copyright (C) 2016 fw867 <ffkykzs@gmail.com>
#
# This is free software, licensed under the GNU General Public License v3.
# See /LICENSE for more information.
#

START=99
USE_PROCD=1

CONFIG=koolproxy
KP_DIR=/usr/share/koolproxy
TMP_DIR=/tmp

alias echo_date='echo $(date +%Y年%m月%d日\ %X):'

config_n_get() {
	local ret=$(uci get $CONFIG.$1.$2 2>/dev/null)
	echo ${ret:=$3}
}

config_t_get() {
	local index=0
	[ -n "$4" ] && index=$4
	local ret=$(uci get $CONFIG.@$1[$index].$2 2>/dev/null)
	echo ${ret:=$3}
}

add_ipset_conf() {
	if [ -s /etc/adblocklist/adbypass ]; then
		echo_date 添加白名单软连接...
		cat /etc/adblocklist/adbypass | sed "s/,/\n/g" | sed "s/^/ipset=&\/./g" | sed "s/$/\/white_kp_list/g"  >> /tmp/adbypass.conf
		rm -rf /tmp/dnsmasq.d/adbypass.conf
		ln -sf /tmp/adbypass.conf /tmp/dnsmasq.d/adbypass.conf

		dnsmasq_restart=1
	fi

	if [ "$koolproxy_mode" == "2" ]; then
		if [ "$koolproxy_host" == "1" ];then
			echo_date 添加Adblock Plus Host软连接...
			ln -sf $KP_DIR/dnsmasq.adblock /tmp/dnsmasq.d/dnsmasq.adblock
		fi

		echo_date 添加黑名单软连接...
		rm -rf /tmp/dnsmasq.d/koolproxy_ipset.conf
		ln -sf $KP_DIR/koolproxy_ipset.conf /tmp/dnsmasq.d/koolproxy_ipset.conf

		echo_date 添加自定义黑名单软连接...
		if [ -s /etc/adblocklist/adblock ]; then
			cat /etc/adblocklist/adblock | sed "s/,/\n/g" | sed "s/^/ipset=&\/./g" | sed "s/$/\/black_koolproxy/g"  >> /tmp/adblock.conf
			rm -rf /tmp/dnsmasq.d/adblock.conf
			ln -sf /tmp/adblock.conf /tmp/dnsmasq.d/adblock.conf
		fi

		dnsmasq_restart=1
	fi
}

remove_ipset_conf() {
	if [ -L "/tmp/dnsmasq.d/adbypass.conf" ]; then
		echo_date 移除白名单软连接...
		rm -rf /tmp/adbypass.conf
		rm -rf /tmp/dnsmasq.d/adbypass.conf
		dnsmasq_restart=1
	fi

	if [ -L "/tmp/dnsmasq.d/koolproxy_ipset.conf" ]; then
		echo_date 移除黑名单软连接...
		rm -rf /tmp/dnsmasq.d/koolproxy_ipset.conf
		dnsmasq_restart=1
	fi

	if [ -L "/tmp/dnsmasq.d/adblock.conf" ]; then
		echo_date 移除自定义黑名单软连接...
		rm -rf /tmp/dnsmasq.d/adblock.conf
		rm -rf /tmp/adblock.conf
		dnsmasq_restart=1
	fi

	if [ -L "/tmp/dnsmasq.d/dnsmasq.adblock" ]; then
		echo_date 移除Adblock Plus Host软连接...
		rm -rf /tmp/dnsmasq.d/dnsmasq.adblock
		dnsmasq_restart=1
	fi
}


restart_dnsmasq() {
	if [ "$dnsmasq_restart" == "1" ]; then
		echo_date 重启dnsmasq进程...
		/etc/init.d/dnsmasq restart > /dev/null 2>&1
	fi
}

creat_ipset() {
	echo_date 创建ipset名单
	# Load ipset netfilter kernel modules and kernel modules
	ipset -! create white_kp_list nethash
	ipset -! create black_koolproxy iphash
	cat $KP_DIR/data/rules/yhosts.txt $KP_DIR/data/rules/adg.txt $KP_DIR/data/rules/steven.txt $KP_DIR/data/rules/antiad.txt $KP_DIR/data/rules/koolproxy.txt $KP_DIR/data/rules/adgk.txt $KP_DIR/data/rules/daily.txt $KP_DIR/data/rules/user.txt | grep -Eo "(.\w+\:[1-9][0-9]{1,4})/" | grep -Eo "([0-9]{1,5})" | sort -un | sed -e '$a\80' -e '$a\443' | sed -e "s/^/-A kp_full_port &/g" -e "1 i\-N kp_full_port bitmap:port range 0-65535 " | ipset -R -!
}

add_white_black_ip() {
	echo_date 添加ipset名单
	ip_lan="0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.31.196.0/24 192.52.193.0/24 192.88.99.0/24 192.168.0.0/16 192.175.48.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255"
	for ip in $ip_lan
	do
		ipset -A white_kp_list $ip >/dev/null 2>&1

	done
	sed -e "s/^/add white_kp_list &/g" /etc/adblocklist/adbypassip | awk '{print $0} END{print "COMMIT"}' | ipset -R 2>/dev/null
	ipset -A black_koolproxy 110.110.110.110 >/dev/null 2>&1
	sed -e "s/^/add black_koolproxy &/g" /etc/adblocklist/adblockip | awk '{print $0} END{print "COMMIT"}' | ipset -R 2>/dev/null
}

load_config() {
	ENABLED=$(config_t_get global enabled 0)
	[ $ENABLED -ne 1 ] && return 0
	koolproxy_mode=$(config_t_get global koolproxy_mode 1)
	koolproxy_host=$(config_t_get global koolproxy_host 0)
	koolproxy_acl_default=$(config_t_get global koolproxy_acl_default 1)
	koolproxy_port=$(config_t_get global koolproxy_port 0)
	koolproxy_bp_port=$(config_t_get global koolproxy_bp_port)
	koolproxy_ipv6=$(config_t_get global koolproxy_ipv6 0)
	config_load $CONFIG
	return 1
}

__load_lan_acl() {
	local mac
	local ipaddr
	local proxy_mode
	config_get mac $1 mac
	config_get ipaddr $1 ipaddr
	config_get proxy_mode $1 proxy_mode
	[ -n "$ipaddr" ] && [ -z "$mac" ] && echo_date 加载ACL规则：【$ipaddr】模式为：$(get_mode_name $proxy_mode)
	[ -z "$ipaddr" ] && [ -n "$mac" ] && echo_date 加载ACL规则：【$mac】模式为：$(get_mode_name $proxy_mode)
	[ -n "$ipaddr" ] && [ -n "$mac" ] && echo_date 加载ACL规则：【$ipaddr】【$mac】模式为：$(get_mode_name $proxy_mode)
	#echo iptables -t nat -A KOOLPROXY $(factor $ipaddr "-s") $(factor $mac "-m mac --mac-source") -p tcp $(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)
	iptables -t nat -A KOOLPROXY $(factor $ipaddr "-s") $(factor $mac "-m mac --mac-source") -p tcp $(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)

	acl_nu=`expr $acl_nu + 1`
}

lan_acess_control() {
	acl_nu=0
	[ -z "$koolproxy_acl_default" ] && koolproxy_acl_default=1
	config_foreach __load_lan_acl acl_rule
	if [ $acl_nu -ne 0 ]; then
		echo_date 加载ACL规则：其余主机模式为：$(get_mode_name $koolproxy_acl_default)
	else
		echo_date 加载ACL规则：所有模式为：$(get_mode_name $koolproxy_acl_default)
	fi
}

__load_exrule() {
	local file
	local exrule
	local enable
	config_get file $1 file
	config_get exrule $1 url
	config_get enable $1 load
	if [ -n "$exrule" ]; then
		if [ $enable -ne 1 ]; then
			[ -n "$file" ] && [ -f $KP_DIR/data/rules/$file ] && rm -f $KP_DIR/data/rules/$file
			uci set koolproxy.$1.time=""
			uci commit koolproxy
			return
		fi

		if [ -z "$file" ]; then
			file=$(echo $exrule |awk -F "/" '{print $NF}')
			uci set koolproxy.$1.file="$file"
			uci commit koolproxy
		fi

		if [ ! -f $KP_DIR/data/rules/$file ]; then
			wget $exrule -q -O $TMP_DIR/$file
			if [ "$?" == "0" ]; then
				uci set koolproxy.$1.time="`date +%Y-%m-%d" "%H:%M`"
				uci commit koolproxy
				mv $TMP_DIR/$file $KP_DIR/data/rules/$file
			else
				echo "koolproxy download rule $file failed!"
				[ -f $TMP_DIR/$file ] && rm -f $TMP_DIR/$file
			fi
		fi
		cat $KP_DIR/data/rules/$file >>$KP_DIR/data/rules/user.txt
	fi
}

load_user_rules() {
	cp $KP_DIR/data/user.txt $KP_DIR/data/rules/user.txt
	config_foreach __load_exrule rss_rule
}

load_rules() {
	sed -i '1,9s/1/0/g' $KP_DIR/data/source.list
	local rulelist="$(uci -q get koolproxy.@global[0].koolproxy_rules)"
	for rule in $rulelist
	do
		case "$rule" in
			koolproxy.txt)
				sed -i '1s/0/1/g' $KP_DIR/data/source.list
			;;
			daily.txt)
				sed -i '2s/0/1/g' $KP_DIR/data/source.list
			;;
			kp.dat)
				sed -i '3s/0/1/g' $KP_DIR/data/source.list
			;;
			user.txt)
				sed -i '4s/0/1/g' $KP_DIR/data/source.list
			;;
		esac
	done

	local rulelist="$(uci -q get koolproxy.@global[0].thirdparty_rules)"
	for rule in $rulelist
	do
		case "$rule" in
                        yhosts.txt)
				sed -i '5s/0/1/g' $KP_DIR/data/source.list
			;;
			adg.txt)
				sed -i '6s/0/1/g' $KP_DIR/data/source.list
			;;
			steven.txt)
				sed -i '7s/0/1/g' $KP_DIR/data/source.list
			;;
			antiad.txt)
				sed -i '8s/0/1/g' $KP_DIR/data/source.list
			;;
		        adgk.txt)
				sed -i '9s/0/1/g' $KP_DIR/data/source.list
			;;
		esac
	done
}

get_mode_name() {
	case "$1" in
		0)
			echo "不过滤"
		;;
		1)
			echo "过滤HTTP协议"
		;;
		2)
			echo "过滤HTTP(S)协议"
		;;
		3)
			echo "过滤全端口"
		;;
	esac
}

get_jump_mode() {
	case "$1" in
		0)
			echo "-j"
		;;
		*)
			echo "-g"
		;;
	esac
}

get_action_chain() {
	case "$1" in
		0)
			echo "RETURN"
		;;
		1)
			echo "KP_HTTP"
		;;
		2)
			echo "KP_HTTPS"
		;;
		3)
			echo "KP_ALL_PORT"
		;;
	esac
}

factor() {
	if [ -z "$1" ] || [ -z "$2" ]; then
		echo ""
	else
		echo "$2 $1"
	fi
}

load_nat() {
	echo_date 加载nat规则！
	#----------------------BASIC RULES---------------------
	echo_date 写入iptables规则到nat表中...
	# 创建KOOLPROXY nat rule
	iptables -t nat -N KOOLPROXY
	# 局域网地址不走KP
	iptables -t nat -A KOOLPROXY -m set --match-set white_kp_list dst -j RETURN
	# 生成对应CHAIN
	iptables -t nat -N KP_HTTP
	iptables -t nat -A KP_HTTP -p tcp -m multiport --dport 80 -j REDIRECT --to-ports 3000
	iptables -t nat -N KP_HTTPS
	iptables -t nat -A KP_HTTPS -p tcp -m multiport --dport 80,443 -j REDIRECT --to-ports 3000
	iptables -t nat -N KP_ALL_PORT
	#iptables -t nat -A KP_ALL_PORT -p tcp -j REDIRECT --to-ports 3000
	# 端口控制
	if [ "$koolproxy_port" == "1" ]; then
		echo_date 开启端口控制：【$koolproxy_bp_port】
		if [ -n "$koolproxy_bp_port" ]; then
			iptables -t nat -A KP_ALL_PORT -p tcp -m multiport ! --dport $koolproxy_bp_port -m set --match-set kp_full_port dst -j REDIRECT --to-ports 3000
		else
			iptables -t nat -A KP_ALL_PORT -p tcp -m set --match-set kp_full_port dst -j REDIRECT --to-ports 3000
		fi
	else
		iptables -t nat -A KP_ALL_PORT -p tcp -m set --match-set kp_full_port dst -j REDIRECT --to-ports 3000
	fi
	[ "$koolproxy_ipv6" == "1" ] && ip6tables -t nat -I PREROUTING -p tcp -j REDIRECT --to-ports 3000
	# 局域网控制
	lan_acess_control
	# 剩余流量转发到缺省规则定义的链中
	iptables -t nat -A KOOLPROXY -p tcp -j $(get_action_chain $koolproxy_acl_default)
	# 重定所有流量到 KOOLPROXY
	# 全局模式和视频模式
	[ "$koolproxy_mode" == "1" ] || [ "$koolproxy_mode" == "3" ] && iptables -t nat -I PREROUTING 1 -p tcp -j KOOLPROXY
	# ipset 黑名单模式
	[ "$koolproxy_mode" == "2" ] && iptables -t nat -I PREROUTING 1 -p tcp -m set --match-set black_koolproxy dst -j KOOLPROXY
}

add_cru() {
	time=$(config_t_get global time_update)
	wirtecron=$(cat /etc/crontabs/root | grep "00 $time * * *" | grep kpupdate)
	if [ -z "$wirtecron" ];then
		sed -i '/kpupdate/d' /etc/crontabs/root >/dev/null 2>&1
		echo "0 $time * * * /usr/share/koolproxy/kpupdate" >> /etc/crontabs/root 
	fi
}

del_cru() {
	sed -i '/kpupdate/d' /etc/crontabs/root >/dev/null 2>&1
}

detect_cert(){
	if [ ! -f $KP_DIR/data/private/ca.key.pem -o ! -f $KP_DIR/data/cert/ca.crt ]; then
		echo_date 开始生成koolproxy证书，用于https过滤！
		cd $KP_DIR/data && sh gen_ca.sh
	fi
}

flush_nat() {
	echo_date 移除nat规则...
	cd $TMP_DIR
	iptables -t nat -S | grep -E "KOOLPROXY|KP_HTTP|KP_HTTPS|KP_ALL_PORT" | sed 's/-A/iptables -t nat -D/g'|sed 1,4d > clean.sh && chmod 777 clean.sh && ./clean.sh
	[ -f $TMP_DIR/clean.sh ] && rm -f $TMP_DIR/clean.sh
	iptables -t nat -X KOOLPROXY > /dev/null 2>&1
	iptables -t nat -X KP_HTTP > /dev/null 2>&1
	iptables -t nat -X KP_HTTPS > /dev/null 2>&1
	iptables -t nat -X KP_ALL_PORT > /dev/null 2>&1
	ipset -F black_koolproxy > /dev/null 2>&1 && ipset -X black_koolproxy > /dev/null 2>&1
	ipset -F white_kp_list > /dev/null 2>&1 && ipset -X white_kp_list > /dev/null 2>&1
	ip6tables -t nat -D PREROUTING -p tcp -j REDIRECT --to-ports 3000 > /dev/null 2>&1
}

export_ipt_rules() {
	FWI=$(uci get firewall.koolproxy.path 2>/dev/null)
	[ -n "$FWI" ] || return 0
	cat <<-CAT >>$FWI
	iptables-save -c | grep -v -E "KOOLPROXY|KP" | iptables-restore -c
	iptables-restore -n <<-EOF
	$(iptables-save | grep -E "KOOLPROXY|KP|^\*|^COMMIT" |\
		sed -e "s/^-A \(PREROUTING\)/-I \1 1/")
	EOF
	CAT
	return $?
}

flush_ipt_rules() {
	FWI=$(uci get firewall.koolproxy.path 2>/dev/null)
	[ -n "$FWI" ] && echo '# firewall include file' >$FWI
	return 0
}

pre_start() {
	load_config
	[ $? -ne 1 ] && return 0
	iptables -t nat -C PREROUTING -p tcp -j KOOLPROXY 2>/dev/null && [ $? -eq 0 ] && return 0;
	detect_cert
	load_rules
	load_user_rules
	add_ipset_conf && restart_dnsmasq
	creat_ipset
	add_white_black_ip
	load_nat
	flush_ipt_rules && export_ipt_rules
	add_cru
	[ "$koolproxy_mode" == "1" ] && echo_date 选择【全局过滤模式】
	[ "$koolproxy_mode" == "2" ] && echo_date 选择【IPSET过滤模式】
	if [ "$koolproxy_mode" == "3" ]; then
		echo_date 选择【视频过滤模式】
		sed -i '1s/1/0/g;2s/1/0/g' $KP_DIR/data/source.list
	fi
	return 1
}

post_stop() {
	load_config
	[ $? -ne 1 ] && NO_RESTART_DNSMASQ=false
	if [ $NO_RESTART_DNSMASQ ]; then
		remove_ipset_conf
	else
		remove_ipset_conf && restart_dnsmasq
	fi
	flush_ipt_rules
	flush_nat
	del_cru
	return 0
}

start_service() {
	echo_date ================== koolproxy启用 ================
	pre_start
	[ $? -ne 1 ] && return 0

	procd_open_instance
	procd_set_param command /usr/share/koolproxy/koolproxy
	procd_append_param command --mark
	procd_append_param command --ttl 160

	procd_set_param respawn

	procd_set_param file /etc/adblocklist/adblock
	procd_set_param file /etc/adblocklist/adblockip
	procd_set_param file /usr/share/koolproxy/data/user.txt
	procd_set_param stdout 1
	procd_set_param stderr 1
	procd_close_instance

	logger "koolproxy has started."
	echo_date =================================================
}

stop_service() {
	echo_date ====================== 关闭 =====================
	post_stop
	logger "koolproxy has stopped."
	echo_date =================================================
}

reload_service() {
	logger "koolproxy reload service."
	NO_RESTART_DNSMASQ=true
	stop
	start
}

service_triggers() {
	procd_add_reload_trigger "koolproxy"
}

restart() {
	logger "koolproxy restart service."
	NO_RESTART_DNSMASQ=true
	stop
	start
}

boot() {
	local delay=$(config_t_get global startup_delay 0)
	(sleep $delay && start >/dev/null 2>&1) &
	return 0
}
